On Tue, Aug 3, 2021 at 8:00 AM Ben Wilson <[email protected]> wrote: > > Chunghwa Telecom > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process for Chunghwa Telecom’s request to include > the HiPKI Root CA - G1 Certificate in the root store as an TLS/SSL-only root > CA. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, > (Steps 4 through 9). >
I have a number of questions related to statements in the CP and CPS that hopefully can be cleared up. There's a number of small infelicities,likely due to my misunderstanding or ignorance. The CP refesr to security levels from 1 to 4. However any CA can issue a certificate for any domain name: is there a minimum security level CAs will be obliged to meet for signing? In section 6.6. of the CP 2 it's stated that level 4 means Webtrust security practices must be followed, but then in section 8 it says that a compliannce audit with Webtrust must be conducted for every Level 2 or higher CA. These seem at odds to me. For the CPS of the intermediate CA I see that section 3.2.5.2 lists a number of ways to validate domain control. I'd like to understand what risk assessment has been done of each of these methods, some of which seem more amenable to automation than others. There doesn't seem to be any statement about automating this process. Section 4.2.1.1 is a bit funny: I agree it's the right result to get the applicant to fix their busted CAA record, and after confirming its correct issue the EV cert (assuming all other checks went through) but it does seem a bit funny to me in the way its worded. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0cmSFR%3DtUiRdTBdXSu4H8oG6qafhXf-w%2BBm4-ddBYdDMVg%40mail.gmail.com.
